June 2017 Newsletter
By Steve Bock, President & CEO
How Lawful Intercept Can Help
When hackers – now suspected to be linked to North Korea – released the “WannaCry” botnot ransomware on Friday, May 12, 2017, the cyberattack unleashed against 250,000 computers in 150 countries created a shockwave.
Yet as monumental as WannaCry might have been, it was but the latest in a long series of cyberattacks against commercial enterprises, government agencies and ordinary civilians. A report by the Heritage Foundation, “Cyber Attacks on U.S. Companies in 2016,” details the rapid growth of cybercrime across the government and commercial sectors. Among the victims last year was one of the nation’s largest telecom operators, as well as tech leaders that are household names. This grim tale is all in the Heritage Foundation report.
When hackers penetrate a telecom operator, that is an issue of national concern – and to everyone in the country. Telecom is a critical infrastructure industry rightly considered essential to national security, public safety and the commercial interests that keep our economy and nation strong. While President Trump has issued an Executive Order on Cybersecurity and Congress is working on legislation, we in the telecommunications industry need to take action also.
One of the best but least heralded methods requires no intervention from the Executive or Legislative branches and has, in fact, been in place for nearly a quarter century: Lawful Intercept under the Communications Assistance for Law Enforcement Act. That’s right: CALEA can play an active role in preempting a cyberattack. It is fair to describe CALEA as the original cybersecurity system.
How CALEA helps plug “security gaps” in a network: If an authorized law enforcement agent, pursuant to a court order, can lawfully monitor a suspect on a network, a crime or terrorist plot may be prevented or readily solved. That applies to the cyber realm, as well. Lawful surveillance can be used to gather ironclad evidence of a crime committed – or in process – without harming the privacy of innocent civilians.
Communications service providers (CSPs) play an important role in keeping networks safe. All CSPs whose networks intersect the public switched telephone network (PSTN) are required by law to be in technical compliance with CALEA.
Are you doing your part? We hope so, but unfortunately that is not always the case.
When CSPs fail to comply with the law they put their networks and customers at grave risk of abuse. Among the more prominent examples:
- Phishing: Criminals use communications networks not only to communicate with each other but to victimize other network users. For example, “phishing attacks” prey on users by tricking them into complying with phony email messages that request personal financial information. Just clicking on a link in an innocent-looking email can trigger a virus that takes control of the victim’s PC or mobile phone. Foreign agents have penetrated U.S. networks to steal classified information, corporate trade secrets, and other private data using this type of attack. Phishing is also a “popular” method among criminals for launching ransomware attacks.
- Financial Fraud. Voice communications play a role in criminal schemes. In some instances, criminals have illegally intercepted VoIP (computer-processed voice) communications. Some fraudsters call senior citizens to talk them out of their savings. “Robo calls” tempt people to call back a certain number to win a fictitious vacation or other prize. Still other scammers use fake identities to register for communication service with no intention of paying the bills. Theft of service raises the cost of service for all users.
- Botnets. Often described as the greatest threat to the Internet, botnets or “zombie nets” are networks of private computers that are secretly taken over by criminals to commit a variety of illicit acts: theft of credit card numbers, bank credentials, health records and other personal information. Some botnets unleash Distributed Denial of Service (DDOS) attacks that can immobilize a website or corporate email server by overloading it with messages. Others act as “ransomware,” taking control of individual, campus or enterprise networks and denying access to the owners until a ransom is paid.
Unfortunately, in the wake of WannaCry, far too many people now have personal experience in dealing with phishing, botnets and ransomware crimes that CALEA can help prevent – but only if the CSP whose network was used in the crime obeys the law and is CALEA compliant. CSPs who fail to be in compliance with CALEA may find themselves unwitting accomplices in the next botnet/ransomware attack.
If you are a CSP reading these lines, we sincerely hope you are doing your part to protect our nation’s critical telecom infrastructure – and your customers – by ensuring compliance with this vital law. If you have any doubts, call us at 877.510.4357. As the CALEA Compliance Company®, Subsentio can set you on the path to cybersecurity.
Welcome to the Universe of Records
In the world of records production, it can be very easy to get lost amidst the various types of lawful process that can be served on a communications service provider (“CSP”). Records production requests can apply to both civil and criminal matters, and require the production of information ranging from call details to SMS data, and even content of communications. To make matters even more complicated, various states will have different legal requirements for the processing of records production requests. The good news is that Subsentio has the expertise to assist any CSP with handling these requests lawfully and efficiently. We can start by providing some insight into the basic forms of records production requests that a CSP will receive from time to time.
In general, there are two types of records production requests that can be served on a CSP by an issuing party. The first and most common is a Subpoena. The second is a Court Order. Both of these can come in various flavors and require production of various types of records. Examples of subpoenas:
- Subpoena Duces Tecum – a subpoena for things, used to request the majority of records that a CSP would retain such as transaction data records, subscriber information and other billing records. These records can be used in both civil and criminal cases, by either the prosecution or defense.
- Grand jury subpoena – a subpoena requesting witness and/or record production to determine if there is probable cause for criminal matters.
- Trial/witness subpoena – a subpoena requesting a personal appearance by a witness for trial. Generally, records were previously provided and the requesting party needs testimony to authenticate the records.
- Administrative subpoena – a subpoena issued by a governmental entity (state or federal) other than a court. This kind of subpoena is generally limited to obtaining basic customer information for a narrow time frame. It also may be limited to use by specific government entities.
The other major type of legal process a CSP might be served with is a Court Order. They are almost always authorized by a judge. The additional legal scrutiny they are subject to allows the serving party to obtain records that a subpoena might not authorize. They will also appear in several forms and can be based on a variety of statutory authorities:
- Court Order – written orders issued by a judge that permit the requesting person(s) to obtain records specified in the order. They may be issued pursuant to a finding of specific and articulable facts as required by Section 2703(d) in the Electronics Communication Privacy Act, or based on some other statutory authority granted to the judge.
- Search Warrant – a written order issued by a judge permitting law enforcement to search a specific place, identifying the persons (if known) and any articles intended to be seized. Warrants may only be applied for and only issued upon a finding of probable cause. Search warrants are typically used for more sensitive private customer data such as the content of communications, but can authorize the release of any data type that a CSP may retain.
The above defined terms only represent the tip of the iceberg of the various types of legal process that can be served on a CSP for customer records. There are roughly two dozen different types of legal instruments that can place a legal obligation on a CSP. It is essential that a CSP have at its disposal the knowledge base to make sure it releases only what is authorized pursuant to the law – and not risk damage to customer relations and satisfaction, or potential exposure to liability.
Products & Services
Why We Don’t Sell Just-in-Time Solutions
Martin McDermott, COO
From Arizona’s Family Channel 3: Missing Chandler Teen Found Safe; Suspect in Custody
“An Amber Alert has been cancelled for a missing Chandler teen who has been found safe. The suspect is in custody, officials said Monday afternoon. Terrianne Brooks, 15, and Douglas Jones, 40, were located by law enforcement in a remote area of the Navajo Reservation north of Tuba City, according to a spokeswoman for the FBI. Jones was taken into custody without incident.”
An Amber Alert to Subsentio means a life-threatening situation. When notified by law enforcement of an Amber Alert, we declare an exigent circumstance and immediately establish the requested lawful intercept, usually within 10 to 15 minutes. We do this without a court order. After verifying the validity of the agent contacting us, we ask that they sign our exigent authorization, which they do, signifying that the court order will arrive within 48 hours.
The rescue of the missing Arizona teenager would never have worked if our client had relied on what the industry calls a “Just-in-Time” (JiT) solution. JiT started out a decade ago when CALEA was just being introduced to VoIP and Internet Service Providers. It was basically sold as CALEA insurance. If a communications service provider (CSP) received a court order, then the company who sold the CALEA insurance would ship a “unit” (technology solution) overnight it to the carrier’s network technicians, who were then to install, test and implement the lawful intercept. The JiT concept sounded good at the time and was priced sufficiently low so that it was almost a “no brainer” choice for CSPs that didn’t want to pay the cost of a full-time technical solution.
In practice, however, JiT never worked. Let’s look at the piece parts of implementation to see why.
First, upon receipt of a court order, the CSP contacts their lawful intercept vendor. Whether by telephone or email, it takes time to reach the right person within the vendor, validate the customer information, identify the type of system that requires shipment and then ship the necessary units. For the sake of argument, let’s assume that this situation does NOT occur over a weekend, when all bets are off.
Next, part of the validation that the vendor must achieve is to make sure that the proper unit is sent for the proper application. Is it VoIP, Broadband or maybe another service entirely? What’s the location? Who should it go to? Once this essential information is nailed down, the unit can be shipped. With that, the vendor has fulfilled its pledge outlined in the agreement. Now it is up to the carrier to institute the lawful intercept.
But problems can arise very quickly. In all likelihood, the carrier’s technicians have never seen or used this type of equipment before. They may have no idea where to install it within their network, and if they do manage to get it installed, how to test it to make sure that it is able to provide the intercept, how to connect the unit to the designated law enforcement monitoring center location – or even where that facility might be. Certainly, they can fill in the blanks, but that takes still more time. And with any court order, time is of the essence, particularly for an exigent circumstance such as an Amber Alert, when it can involve a life or death situation.
Amber Alerts are not the only instances where JiT reveals its inherent weaknesses.
The dramatic increase in lawful intercept court orders has led to other serious ramifications for law enforcement when a CSP relies on JiT. We are aware of one case where an LEA lost 18 days of evidence as a direct result of the service provider’s JiT solution. That is unacceptable.
When LEAs can’t do their job and lives are put at risk as a result, it’s clear that we have long since passed the time to consign JiT to the history books and replace it with bona fide lawful intercept solutions that fully meet the needs and expectations of ensuring public safety and national security. That is Subsentio’s firm position on JiT – and on the correct approach to lawful intercept.
Subsentio is a Trusted Third Party. In that role we provide our end-to-end service bureau: installation, testing and certification of a technical solution appropriate to the CSP; review of court orders to ensure accuracy and correctness; implementation of the lawful intercept; and close liaison with the relevant law enforcement agency.
Subsentio’s unique service bureau model not only places our many clients in Safe Harbor with the technical requirments of CALEA, but goes “all the way” to help ensure that the full process of lawful intercept works flawlessly from start to finish.
Rules & Regs
CSPs’ Challenge of Expanding Service to the EU
Joel Margolis, General Counsel
Complying with EU Mandates for Privacy and Law Enforcement
As American communications service providers expand their networks to the European Union they’ll confront a phalanx of new privacy laws and evolving mandates to assist law enforcement. The following examines the regulatory hurdles.
The Pro-Privacy Trend
The EU recently adopted its General Data Protection Regulation, which expanded and strengthened EU data privacy law, and scheduled it to take effect in May of 2018. Among other things, the GDPR restricts the manner in which the personally identifiable data of EU “data subjects” may be “transferred” outside the EU. The new law also increases the fines for privacy infringements. Accordingly, U.S. communications providers that operate in the EU will soon be required to follow strict new protocols for the handling of EU subscriber data.
Further complicating the EU privacy landscape is Great Britain’s exit from the EU. Will the British apply the GDPR and ePrivacy Proposal, or chart their own path to privacy protection? U.S. service providers expanding to Europe may need to comply with one set of rules in Britain and another in the rest of the EU.
The world dominance of US. Internet companies, along with disclosures about the vast surveillance capabilities of the U.S. National Security Agency, continue to fuel EU demands for stronger privacy protection. These privacy fears may have been exacerbated by recent allegations regarding U.S. surveillance of Russian diplomats and members of President Trump’s campaign staff. News reports like these can only motivate Europeans to toughen their privacy defenses.
The Pro-Law Enforcement Trend
Countering Europe’s pro-privacy trend are calls to give law enforcement more surveillance power to thwart terrorist attacks. The terrorist threat has continued unabated across the continent.
In response, some EU states have maintained or revised their data retention laws, even though the European Court of Justice struck down the EU-wide data retention mandate in 2014. Germany adopted a data retention law in December of 2016. The new law, which takes effect in July of this year, will require the retention of communications metadata by any communications provider with facilities in Germany.
Great Britain adopted its Investigatory Powers Act in Dec 2016, though it has not yet taken effect. Under this pro-law enforcement statute, the government may serve a “technical capability notice” on a domestic or foreign communication provider with facilities in the country and then compel the provider to upgrade its network with certain surveillance capabilities.
Most alarming to the communications industry, the EU and certain EU member states are considering “data localization” laws. These measures, currently adopted only in countries such as Russia, China and Brazil, would keep a nation’s communications data stored within its borders, thereby facilitating investigations of the data by law enforcement. Network owners loathe the prospect of building a separate data center in each country they serve.
Recurring cyberattacks worldwide have stolen mountains of private information and paralyzed communications networks. This threat alone may lead governments in all jurisdictions, including the EU, to intensify law enforcement scrutiny of Internet activity. If so, the authorities will likely expect increased cooperation from network owners.
The Challenge for U.S. Communications Providers
Any U.S. company may face legal challenges when entering foreign markets such as the EU. But for U.S. communications providers such expansion poses uniquely complex risks. American operators in Europe increasingly find themselves squeezed between demands for more privacy and more public safety.
How American competitors will contend with the EU’s regulatory tug-of-war is difficult to predict. In the age of cloud computing and virtualization it is unclear how a service provider will even know where to find a particular suspect’s traffic, let alone protect its privacy or help law enforcement monitor it. Let’s say a provider serves EU member state ABC and receives a court surveillance order from that state, but during the period of the intercept the suspect travels to EU member state XYZ. Must the provider maintain the intercept or wait for a second order from a judge in XYZ? What if the suspect goes to XYZ but his or her traffic remains in ABC?
Do You DMCA?
Martin McDermott, COO
If You Want to be in Safe Harbor, You Need to
Say you’re an Internet Service Provider. You offer a variety of broadband services to your customers. You suddenly receive a complaint from Netflix, Apple or other source that one of your subscribers has uploaded copyright-protected material to a website without paying. In other words, said subscriber has, in fact, stolen copyrighted material. The polite word is infringement. The website wants it to stop. They’ve come to you to stop it. You’re at risk.
Think not? A major tier one ISP was issued a judgment of $25 million just last December for ignoring the Digital Millennium Copyright Act (DMCA). Paying attention now?
Section 512 of the DMCA allows content owners the right to send DMCA infringement claims to the website, or individual hosting vendor, on copyright infringement events. ISPs hosting offending websites are provided Safe Harbor from infringement liability as long as they address claims by passing on the notice to the offending subscribers.
Are you in Safe Harbor? How do you ensure you’re protected from liability?
To be absolved of copyright infringement liability you must first meet one or more of the DMCA Safe Harbor provisions. These provisions list the services that ISPs provide to their customers. They help establish that the ISP is not complicit in any copyright infringement but is merely a “middle man” through which an end user may commit an infringement. As long as an ISP operates in its traditional capacity for a member of that industry, it will usually meet one of these qualifications.
However, qualifying alone doesn’t guarantee Safe Harbor. The DMCA also places the onus of addressing valid notice claims on the ISP. There are two major components of this responsibility:
- If an ISP has received a DMCA infringement claim that fulfills the requirements under the DMCA statute, the ISP must notify its subscriber of the alleged infringement and request removal of the copyrighted material.
- If the infringement continues, the ISP must terminate service to repeat offenders.
By “address” the claims, the DMCA provisions mean that the ISP must identify the subscriber each specific infringement claim is targeting by the IP address and timestamp identified, and then pass that claim along to the subscriber letting them know their actions are in violation of copyright law and asking them to abstain from any future copyright violations.
The first part is clear. Part 2 – termination to repeat offenders – is not as clearly defined. The DMCA statute simply states under the conditions for eligibility that a service provider must adopt “a policy that provides for the termination in appropriate circumstances of subscriber and account holders of the service provider’s system or network who are repeat infringers.”
The statute says that the ISP needs to terminate service to repeat infringers, but it provides no definition of a repeat infringer. There is no suggestion of how many times a subscriber should incur repeat infringement notifications before the ISP pulls the plug. This is left up to the ISP to define within their policy. What happens if the ISP doesn’t want to lose a customer and prevaricates? Not a good corporate policy for the long haul – and one that can lead to fines for the ISP.
ISPs on average receive hundreds of DMCA claims per month. There is a very good chance that many ISPs are simply ignoring them, creating a backlog in the thousands. Up until that $25 million judgment in December 2016, no one paid much attention. Now, it is a different story. The onus is on the ISP to address these claims if it wants to be in Safe Harbor.
What should you do? Right now, register with the Copyright Office. Create and post a formal DMCA policy that includes subscriber termination for copyright infringement. Then implement a procedure for addressing claims, and eliminate the back log.
Need help? Call Subsentio at 877.510.4357. Subsentio helps ISPs meet their DMCA requirements every day. We can guide you on policy formation. We can institute procedures that are cost effective and efficient to eliminate the DMCA backlog and place you in Safe Harbor.